Adding a role for an LDAP user

An LDAP user role must also exist in tandem within OpsCenter. Add a parallel role in OpsCenter that mirrors the permissions of one of the user's LDAP roles.

When an LDAP user has been assigned LDAP roles, exactly one of those roles must also exist in OpsCenter, otherwise the user cannot log in to OpsCenter. Add a parallel role in OpsCenter that mirrors the name of one of the LDAP roles assigned to a user. An LDAP user can belong to multiple LDAP roles; however, only one OpsCenter role can be named in the list of roles returned by the group search. OpsCenter grants the matching role to the user.

The group_search_type property indicates which method is used to determine LDAP group membership:
  • If using directory_search, the group_search_filter_with_dn must return a list of LDAP roles that matches exactly one of the OpsCenter roles.
  • If using memberof_search, the list of LDAP roles from the user's memberof attribute must match exactly one of the OpsCenter roles.

When LDAP is enabled, only role editing is supported in OpsCenter role-based security. Creating or editing users is disabled when LDAP is enabled because the users originate from the LDAP and are managed therein. When creating or editing user roles, OpsCenter LDAP supports non-ASCII character sets for the role name. Since LDAP supports non-ASCII character sets for users, OpsCenter also supports non-ASCII character sets for users logging in to OpsCenter.

Note: Only an OpsCenter admin can add roles.

Prerequisites

After you configure the admin role in the admin_group_name configuration option, log in with a user that has that role so that you can add any needed roles.

Procedure

  1. Click Settings > Roles.
    The Manage Roles dialog appears.
  2. Click Add Role.
  3. Select the cluster.
  4. Enter a role name.
  5. Select the appropriate permissions and click Save.